No announcement yet.

Pre-Windows 2000, Everyone Group - 2k3 Domain

  • Filter
  • Time
  • Show
Clear All
new posts

  • Pre-Windows 2000, Everyone Group - 2k3 Domain

    I am working on the post ADMT tasks from a migration done 2 years ago and find that removing the Everyone group from the Pre-Windows 2000 Compatible group causes Group policy problems and Printer issues with users not being able to connect to a print queue.

    The print problem seems to stem from the Everyone group permission on the print queue but the print server Users group is also on the print queue security and the Domain Users are a member of that group so I don't understand why the connection fails. The problem arises when trying to load an updated or new print driver on to a workstation.

    My questions are:
    1) Has anyone else experienced issues like this before?
    2) If we upgrade to a Windows 2003 Domain Functional will there be a different security model/set of permissions applied to objects like GPO or AD objects which will alleviate the issues we have had with removing the Everyone group previously.

  • #2
    Re: Pre-Windows 2000, Everyone Group - 2k3 Domain

    Regarding the printing issue: if the problem arises only when trying to update the drivers, make sure the correct permissions are set on "C:\WINDOWS\system32\spool\drivers" folder, which is shared as "PRINT$" and is used when updating the drivers.

    wrt GPO, it depends. What are the symptoms ?
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Re: Pre-Windows 2000, Everyone Group - 2k3 Domain

      We did solve the reason why the GPO's weren't applying properly was because at one point the Authenticated users was taken off a specific OU used to hold server computer accounts - this meant the servers didn't have the gpLink and gpOption read access to the GPO's at that level. With the Everyone group returned into the Pre-Windows 2000 group the permissions for the Pre-Windows group allows read access permissions to the everyone group so the servers could read the GPO's assigned to the OU. Apparently this configuration was done for a specific reason way back when by the AD consultants that originally did the migration (I wasn't at the company then.)

      Now our concern is what might arise when we raise the Domain functional level to Windows 2003....

      I am looking at making sure I get all the correct default permissions set on to the OU so that if/when we remove the Everyone group, this error will not occur again.

      I will check the perms on the Spool folder as well....

      Thank you for your response...